The risk practitioner's best course of action when the residual risk is now within the organization's defined appetite and tolerance levels is to verify the adequacy of risk monitoring plans. Risk monitoring is the process of tracking and reviewing the risk status and performance, and ensuring that the risk responses are effective and efficient1. Risk monitoring plans are the documents that specify the objectives, scope, methods, roles, and responsibilities for the risk monitoring activities2. By verifying the adequacy of risk monitoring plans, the risk practitioner can:
* Ensure that the risk monitoring plans are aligned with the organization's risk strategy, objectives, and policies, and that they comply with the relevant standards and regulations3.
* Evaluate whether the risk monitoring plans are comprehensive and consistent, and that they cover all the key aspects and indicators of the risks and the risk responses4.
* Identify and address any gaps, issues, or challenges that may affect the implementation or outcome of the risk monitoring plans, and recommend and implement appropriate improvement actions5.
The other options are not the best course of action, because:
* Identifying new risk entries to include in ERM is not a relevant or necessary course of action, as it is not directly related to the residual risk or the risk responses. ERM is the process of identifying, analyzing, evaluating, and managing the risks that may affect the organization's strategic, operational, financial, or reputational objectives6. Identifying new risk entries is a part of the risk identification process, which is the first step in ERM. It should be performed periodically or when there are significant changes in the internal or external environment, not when the residual risk is within the appetite and tolerance levels7.
* Removing the risk entries from the ERM register is not a valid or advisable course of action, as it may create a false sense of security or complacency. The ERM register is a tool that records and summarizes the key information and data about the identified risks and the risk responses. Removing the risk entries from the ERM register may imply that the risks no longer exist or matter, which is not true. The risks may still occur or change, and the risk responses may still fail or become obsolete. Therefore, the risk entries should be kept and updated in the ERM register, unless the risks are completely eliminated or transferred.
* 結果を確認するためにリスク評価を再度実行することは、冗長または不必要な場合があるため、効率的または効果的な行動方針ではありません。リスク評価とは、リスクの発生確率と影響を推定し、その重要性と緊急性に基づいてリスクに優先順位を付けるプロセスです。リスク評価を再度実行しても、新しいまたは有用な情報や洞察が得られず、時間とリソースを無駄にする可能性があります。代わりに、リスク担当者はリスク評価の結果を検証および検証し、正確で信頼できることを確認する必要があります。
参考文献
* リスク監視 - CIO Wiki
* リスク監視計画 - CIO Wiki
* リスク監視と報告 - ISACA
* リスク監視と管理 - プロジェクトマネジメント協会
* リスク監視とレビュー - 全米アカデミーズプレス
* エンタープライズリスク管理 - CIO Wiki
* リスクの特定 - CIO Wiki
* [リスクレジスター - CIO Wiki]
* [リスク レジスター: プロジェクト管理での使用方法 - ProjectManager.com]
* [リスク評価 - CIO Wiki]
* [リスク評価プロセス - ISACA]